台北市教育局防火牆 安裝程序及注意事項 19 March 2018 1 CONFIDENTIAL – INTERNAL ONLY Fortinet Confidential
Agenda • 防火牆設定 • 安裝作業 • 簽收文件 2 CONFIDENTIAL – INTERNAL ONLY
防火牆設定 • 統一使用OS 5. 0 MR 2 Patch 3 • Fortigate 5. 2. 3 VM and Installation Guide 下載位置 https: //www. dropbox. com/sh/dw 7 wlv 0 dfehd 8 ku/AABHa. VQ 7 Atq. XBLxx 8 qve. Wjja? dl=0 • 拿到設備後請務必使用Console將原有韌體刪除,再上傳新的韌體(無論原本 使用哪個版本) • 設定正確時區 • admin帳號給老師使用 • 另請新增一個superadmin帳號密碼為 tpe / tpe 21002458,並開啟WAN port的 HTTPS權限以供遠端登入 • 若老師有要鎖管理IP,請輸入力麗科技 IP: 59. 124. 82. 62 3 CONFIDENTIAL – INTERNAL ONLY
重置韌體作業程序 –模式一 • • • 電腦請設定IP為 192. 168. 1. 168,並接上FG 200 D的MGMT port 開啟 Console及TFTP軟體 FG 200 D開機 Forti. Gate-200 D (17: 46 -08. 07. 2014) Ver: 05000004 Serial number: FG 200 D 4614809035 RAM activation CPU(00: 000206 a 7 bfebfbff): MP initialization CPU(02: 000206 a 7 bfebfbff): MP initialization Total RAM: 4096 MB Enabling cache. . . Done. Scanning PCI bus. . . Done. Allocating PCI resources. . . Done. Enabling PCI resources. . . Done. Zeroing IRQ settings. . . Done. Verifying PIRQ tables. . . Done. Boot up, boot device capacity: 15272 MB. Press any key to display configuration menu. . . . 4 CONFIDENTIAL – INTERNAL ONLY 請按下任意鍵以中斷 開機程序
![[C]: Configure TFTP parameters. [R]: Review TFTP parameters. [T]: Initiate TFTP firmware transfer. [F]:](https://present5.com/presentation/2c06c102328bfa38ebd630318275969b/image-5.jpg "[C]: Configure TFTP parameters. [R]: Review TFTP parameters. [T]: Initiate TFTP firmware transfer. [F]:")
[C]: Configure TFTP parameters. [R]: Review TFTP parameters. [T]: Initiate TFTP firmware transfer. [F]: Format boot device. [B]: Boot with backup firmware and set as default. [I]: System information. [Q]: Quit menu and continue to boot. [H]: Display this list of options. Enter C, R, T, F, B, I, Q, or H: All data will be erased, continue: [Y/N]? Formatting boot device. . . . Format boot device completed. 5 CONFIDENTIAL – INTERNAL ONLY 輸入“F”刪除原有韌體 輸入“Y”
Enter C, R, T, F, B, I, Q, or H: 輸入“R”確認各項資訊是否正確 Image download port: MGMT DHCP status: disabled Local VLAN ID: none Local IP address: 192. 168. 1. 68 Local subnet mask: 255. 0 Local gateway: 192. 168. 1. 254 TFTP server IP address: 192. 168. 1. 168 Firmware file name: FGT_200 D-v 5 -build 0318 -FORTINET. out Enter C, R, T, F, B, I, Q, or H: 6 CONFIDENTIAL – INTERNAL ONLY 輸入“C”更換韌體檔名不對, 需更換
![[P]: Set image download port. [D]: Set DHCP mode. [I]: Set local IP address.](https://present5.com/presentation/2c06c102328bfa38ebd630318275969b/image-7.jpg "[P]: Set image download port. [D]: Set DHCP mode. [I]: Set local IP address.")
[P]: Set image download port. [D]: Set DHCP mode. [I]: Set local IP address. [S]: Set local subnet mask. [G]: Set local gateway. [V]: Set local VLAN ID. [T]: Set remote TFTP server IP address. [F]: Set firmware image file name. [E]: Reset TFTP parameters to factory defaults. [R]: Review TFTP parameters. [N]: Diagnose networking (ping). [Q]: Quit this menu. [H]: Display this list of options. Enter P, D, I, S, G, V, T, F, E, R, N, Q or H: 輸入“F”更換韌體檔名 Enter firmware file name [FGT_200 D-v 5 -build 0318 -FORTINET. out]: FGT_200 D-v 5 -build 0670 FORTINET. out 輸入 5. 2. 3韌體檔名 7 CONFIDENTIAL – INTERNAL ONLY
Enter P, D, I, S, G, V, T, F, E, R, N, Q or H: 輸入“Q”回到上層選單 [C]: Configure TFTP parameters. [R]: Review TFTP parameters. [T]: Initiate TFTP firmware transfer. [F]: Format boot device. [B]: Boot with backup firmware and set as default. [I]: System information. [Q]: Quit menu and continue to boot. [H]: Display this list of options. Enter C, R, T, F, B, I, Q, or H: 輸入“R”再次確認是否正確 Image download port: MGMT DHCP status: disabled Local VLAN ID: none Local IP address: 192. 168. 1. 68 Local subnet mask: 255. 0 Local gateway: 192. 168. 1. 254 TFTP server IP address: 192. 168. 1. 168 Firmware file name: FGT_200 D-v 5 -build 0670 -FORTINET. out 8 CONFIDENTIAL – INTERNAL ONLY
Enter C, R, T, F, B, I, Q, or H: 輸入“T”開始上傳韌體 Please connect TFTP server to Ethernet port "MGMT". Initiating firmware TFTP Transfer. . . MAC: 08: 5 B: 0 E: AD: 7 E: 40 ################ Total 33922470 bytes data downloaded. Verifying the integrity of the firmware image. Total 262144 k. B unzipped. Save as Default firmware/Backup firmware/Run image without saving: [D/B/R]? d Programming the boot device now. 輸入“d”使成為預設韌體. . . . . . . . . . . . . . . . Reading boot image 1379898 bytes. Initializing firewall. . . System is starting. . . Resizing shared data partition. . . done Starting system maintenance. . . Scanning /dev/sda 1. . . (100%) 使用新韌體開機完成 9 CONFIDENTIAL – INTERNAL ONLY Formatting shared data partition. . . done!
重置韌體作業程序 –模式二 • • • 電腦請設定IP為 192. 168. 1. 168,並接上FG 200 D的MGMT port 開啟 Console及TFTP軟體 FG 200 D開機 Forti. Gate-600 C (20: 43 -08. 19. 2014) Ver: 04000023 Serial number: FG 200 D 3914802273 RAM activation CPU(00: 00020655 bfebfbff): MP initialization CPU(01: 00020655 bfebfbff): MP initialization Total RAM: 4096 MB Enabling cache. . . Done. Scanning PCI bus. . . Done. Allocating PCI resources. . . Done. Enabling PCI resources. . . Done. Zeroing IRQ settings. . . Done. Verifying PIRQ tables. . . Done. Boot up, boot device capacity: 15272 MB. Press any key to display configuration menu. . . 10 CONFIDENTIAL – INTERNAL ONLY 請按下任意鍵以中斷 開機程序
![[G]: Get firmware image from TFTP server. [F]: Format boot device. [B]: Boot with](https://present5.com/presentation/2c06c102328bfa38ebd630318275969b/image-11.jpg "[G]: Get firmware image from TFTP server. [F]: Format boot device. [B]: Boot with")
[G]: Get firmware image from TFTP server. [F]: Format boot device. [B]: Boot with backup firmware and set as default. [I]: Configuration and information. [Q]: Quit menu and continue to boot with default firmware. [H]: Display this list of options. Enter Selection [G]: Enter G, F, B, I, Q, or H: All data will be erased, continue: [Y/N]? Formatting boot device. . . . Format boot device completed. 11 CONFIDENTIAL – INTERNAL ONLY 輸入“F”刪除原有韌體 輸入“Y”
Enter G, F, B, I, Q, or H: 輸入“G”開始上傳韌體 Please connect TFTP server to Ethernet port "MGMT 1". Enter TFTP server address [192. 168. 1. 168]: 直接按Enter跳過 Enter local address [192. 168. 1. 188]: Enter firmware image file name [image. out]: FGT_200 D-v 5 -build 0670 -FORTINET. out MAC: 085 B 0 E 9 CAED 2 輸入 5. 2. 3韌體檔名 ################ Total 32526608 bytes data downloaded. Verifying the integrity of the firmware image. Total 262144 k. B unzipped. Save as Default firmware/Backup firmware/Run image without saving: [D/B/R]? d Programming the boot device now. 輸入“d”使成為預設韌體. . . . . . . . . . . . . . . . Reading boot image 1376326 bytes. Initializing firewall. . . System is starting. . . 使用新韌體開機完成 Formatting shared data partition. . . done! 12 CONFIDENTIAL – INTERNAL ONLY
• 使用Zone建立Interface,將Interface放到Zone之中 • TANet接在WAN 1,Lan使用Switch Port 1(單獨拆出來),Wifi使用Swicth Port 2( 單獨拆出來) • ZONE名稱分別使用WAN, LAN, WIFI 13 CONFIDENTIAL – INTERNAL ONLY
移除SIP session helper避免干擾網路電話運作 在CLI中輸入 config system setting set sip-helper disable end config system session-helper delete 13 end 14 CONFIDENTIAL – INTERNAL ONLY
認證機制(無線網路認證由Fortigate為之) • 無線網路使用者(舊有Fat AP以及Cisco Thin AP)透過有線網路進到Fortigate • 同時使用教育局Radius以及學校自有AD或者Radius認證 User & Device -> Authentication -> RADIUS Servers,新增 15 CONFIDENTIAL – INTERNAL ONLY
Radius Server Name : 自訂 Primary Server IP : 163. 21. 249. 130 Primary Server Secret : tpeduaaa 可使用“Test Connectivity”請老師輸入教育局帳號密碼測試 若學校自有認證伺服器為Radius,請再建立一組即可 16 CONFIDENTIAL – INTERNAL ONLY
AD Server User & Device -> Authentication -> LDAP Servers,新增 17 CONFIDENTIAL – INTERNAL ONLY
Name : 自訂 Primary Server IP : 自訂 Server Port : 389 Common Name Identifier : Sam. Account. Name Distinguished Name : 如下圖範例所示,需填寫完整路徑 Bind Type : Regular User DN : 如下圖範例所示,需填寫完整路徑 Password : 自訂 可使用“Test Connectivity”確認是否成功 18 CONFIDENTIAL – INTERNAL ONLY
設定認證群組 User & Device -> User Groups,新增 Name : 自訂 Remote Groups->新增->選定先前新增的Radius and LDAP Server 19 CONFIDENTIAL – INTERNAL ONLY
介面啟用Captive Portal • 選擇WIFI介面 • Security Mode -> Captive Portal • User Groups -> 先前建 立的group 20 CONFIDENTIAL – INTERNAL ONLY
無線學習載具排除清單設置 User & Device -> Device Definitions,新增 Alias : 輸入MAC Address 21 CONFIDENTIAL – INTERNAL ONLY
User & Device -> Device Groups,新增 Name : 自訂 Members: 自行加入所需之MAC Address 22 CONFIDENTIAL – INTERNAL ONLY
WIFI介面 Exempt List : 選擇先前建立的Device Group 23 CONFIDENTIAL – INTERNAL ONLY
安裝作業 • 安裝前務必依據“初驗表”確認現有網路運作狀態 市網連線參考網站:http: //speedtest. tp. edu. tw 學校網頁IPv 6測試參考網站:http: //ipv 6. tp. edu. tw/ DNS IPv 6測試參考網站:http: //ipv 6. tp. edu. tw/dns. php 24 CONFIDENTIAL – INTERNAL ONLY
• 線路改接後,防火牆上下 Layer 3設備請老師重開機 Cisco 3560, Cisco Wireless Controller(大部分學校是這幾個設備) • 使用指令輸入FG 200 D:diag ipv 6 address list,查看介接Wireless Controller的port, 並抄下local address(此範例是接在port 16) • 登入Cisco Controller更改IPv 6 Gateway Controller->Interfaces->IPv 6 Gateway 25 CONFIDENTIAL – INTERNAL ONLY
• 改完後請記得存檔 • 更改完成後請用telnet登入Cisco Controller進行Ping 2001: b 000: 168: : 1 Hinet DNS PS. 請勿使用GUI的Ping測試,是無法測通 • 若Controller並未開放Telnet,請到Management中啟用 26 CONFIDENTIAL – INTERNAL ONLY <-
簽收文件 • Fortigate操作手冊 • 簡易除厝手冊 • 防火牆初驗表 : https: //dl. dropboxusercontent. com/u/53758003/%E 6%95%99%E 8%82%B 2%E 5%B 1%80/%E 4%BA%A 4%E 4%BB%98%E 8%B 3%87%E 6%96% 99/104%E 9%98%B 2%E 7%81%AB%E 7%89%86%E 5%88%9 D%E 9%A 9%97%E 8%A 1%A 8 -new-F 2. docx • 拓樸圖(安裝後): https: //dl. dropboxusercontent. com/u/53758003/%E 6%95%99%E 8%82%B 2%E 5%B 1%80/%E 4%BA%A 4%E 4%BB%98%E 8%B 3%87%E 6%96% 99/%E 6%8 B%93%E 6%A 8%B 8%E 5%9 C%96. docx • 貼上保固貼紙 • 設備照片 • 以上文件於安裝完成後請各校資訊組長簽名並複印,複本給學校留存,正本攜回 後交給負責組長統一交付力麗科技 • 各廠商負責人請每天填妥“ 作時數表” 並寄送給Harry : harry@llt. com. tw 下載位置 https: //dl. dropboxusercontent. com/u/53758003/%E 6%95%99%E 8%82%B 2%E 5%B 1%80/%E 4%BA%A 4%E 4%BB%98%E 8%B 3%87%E 6%96%99/(E xcel%E 6%AA%94)%E 8%87%BA%E 5%8 C%97%E 5%B 8%82%E 6%95%99%E 8%82%B 2%E 7%B 6%B 2223%E 5%AE%B 6%E 5%AD%B 8%E 6%A 0% A 1_%E 5%B 7%A 5%E 4%BD%9 C%E 6%99%82%E 6%95%B 8%E 8%A 1%A 8 v 2. xlsx 27 CONFIDENTIAL – INTERNAL ONLY
• • 多個內網IP轉換成一個真實IP (內對外) 一對一對應 (通常在DMZ) • IPv 6 RA要啟用 • Web Server做成一個群組,未來只要多一個網站,直接將IP放進該條Policy即 可 校務行政自己做一條 • • • 28 若無法提供環境調查表,可請老師提供防火牆登入資訊,自行連線進去移轉設 定 或者直接內對外全開,再詢問老師有哪些對外服務,直接設定即可 CONFIDENTIAL – INTERNAL ONLY
Fortinet Forti. Gate 29 CONFIDENTIAL – INTERNAL ONLY Fortinet Confidential
Скачать презентацию 台北市教育局防火牆 安裝程序及注意事項 19 March 2018 1 CONFIDENTIAL
2c06c102328bfa38ebd630318275969b.ppt